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Constituent Event Types 
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RieEdited 


RleRead, Rle Write, RIoReadWrite 


odiiitf prucwssiu ana nienanaie. 

before Hash of first read & afterHash of last write differ. 

Both reads and writes to same fileHandle. 

Sum of writes > 0. 


Thread 


RleCopied 


RleRead. RleWrite, RleReadWrite, 
RleCopy 


Command shell: Alternating reads & writes. The reads all have one 
filehandle, the writes all have a second one. 

Explorer A long series of reads from one filehandle followed by a 
long series of writes to a second. Mind the time period between. 

In both cases, the target device must not be removable. 


Thread 


RieSaveAs 


RleRead, RleWrite. RleReadWrite 




Process 


RleLeftThroughRemovableMedia 


RleRead. RleWrite, RleReadWrite, 
RleCopy 


Same as RIeCopied or RieSaveAs, but target device is removable. 


Process 


CJipboardToRle 


ClipboardCutCopy, Clipboard Paste 


Pair a ClipboardCutCopy with all subsequent ClipboardPaste 
events for that user login until the next copy or the user logs out. 

Problem: If the user closes the application that performed the copy 
and the object was large and the user opts not to keep it there, 
what happens? 


Login 


PrintFile 


Print, possibly others 


Unclear. If there are temp files, intermediate POP files, etc. then we 
may perform a chain of custody analysis to figure out just what was 
printed. 


Thread 


ouiniviaamr 


RleRead, RieWrite 


An app known to bum files reads one or more files then wntes a 
file. 


Process 


BumFile 


COWrite. RleRead 


Application is recognized as a CD writing app. (Optional) 

Series of Riefleads from one fileHandle. followed by a series of 
COWrite events with the same process. May need to compare 
filenames, otherwise one read will exhaust all the writes. 
Alternately, all read files are lumped together with one large bum 
event. Or perhaps the first read of a new file after the last read from 
the previous file is the start of the next bum event. 


Process 


RleLeftThroughNetworkPort 


RleRead, 

TCPIPInbound, TCPIPOutbound, 
UDPInbound, UDPOutbound. 
IPSECInbound. IPSECOutbound 


An overlapping stream of RieReads interspersed with Inbound and 
Outbound network events. 

All the network events should be for the same port (?) and to a 
destination NOT on localhost. 

All the network events should be for the same protocol. 


Thread 
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EmailFle 

* 


Rleflead, 

TCPIPInbound. TCPIPOutbound. 


Similar to RleLattThroughNetworkPort. Combines all Interleaving 
Rlefleads with the network events. 

The application image name is one of those known to be an email 
program. 

May place constraints on the ports, since many amailers use 
certain well defined ports for SMTP, POP etc. 


Process 


InstantMessenger 


Rleflead. 

TfOIPlnHrn rr>rt TPPlPOufbOLind 
1 on i inouunUt i vnr uuiuwwu, 

(other protocols???) 


Similar to RleLeftThroughNetworkPort. Combines all interleaving 
Rle Reads with the network events. 

The application image name is one of those known to be used for 
Instant Messenger. 

May place constraints on the ports. 


Process 


P2PApp 


Rleflead, 

TCPIPInbound. TCPIPOutbound, 
UOPInbound, UDPOutbound. 
IPSECInbound. IPSECOutbound 


Constrain the application name to be one of those known to be a • 
P2PApp. 

Multiple ports will be used; some or ail of them may have 
constraints. 

May constrain the protocol per app or per instance. 

Similar to Rl e LaftThroughNe two rk Port as concerns interleaved file 


Process 


FTP File 


Rleflead. RteWrite. 
??? (TCPIPInbound. 
TCPIPOutbound) 


May want to split into two events, one for reading and one for 
writing. 

Constrain to the common FTP port, unless the app is known by 
name to be an FTP client. 

Like RleLaftThroughNetworkPort. look for interleaved reads and 
network events, or interleaved writes and network events. 


Process 




TCPIPInbound, TCPIPOutbound, 
UOPInbound, UDPOutbound. 
IPSECInbound. IPSECOutbound 


Do not incorporate Rle Read events. 

Several ports may be used. 

Look for known image names of remote apps. 


Process 


TunneiOut 


TCPIPInbound, TCPIPOutbound. 
UOPInbound, UDPOutbound, 
IPSECInbound. IPSECOutbound 


All events use same protocol. Only two processes used. 

Two different apps and four ports are used. One of the ports is 

remote. 

Event 1: The first app sends outbound from local port 1 to local port 

Event 2: The second app (the tunneler) receives inbound from local 
port 1 to local port 2. 

Event 3: The tunneler also sends from local port 3 to remote port 4. 
Both events of the tunneler share the same thread (probably). 


Login 


- 

Tunnelln 


TCPIPInbound. TCPIPOutbound. 
UDPInbound, UDPOutbound, 
IPSECInbound, IPSECOutbound 


All events use same protocol. Only two processes used. 

Two different apps and four pons are used. One of the ports is 

remote. 

Event 1 : The first app (the tunneler) receives inbound from remote 
port 1 to local port 2. 

Event 2i The tunneler sends outbound from local port 2 to local 
port 3. 

Event 3: The second app also receives inbound from local port 3 to 
local port 4. 

Both events of the tunneler share the same thread (probably). 


Login 


TunnellnOut 


TCPIPInbound. TCPIPOutbound, 
UDPInbound, UDPOutbound, 
IPSECInbound, IPSECOutbound 


Multiple protocols may be used. More research needed. More than 
three ports are used. 


Login 



•Re-* 6 



Docket No. 



Title: 



Inventors: 



3602.1000-003 
Digital Asset Usage . . . 
Nicholas Stamos, et ah 



Event Name 


Constituent Event Types 


Pattern 


Scope 


RieLeftThroughTunnel 


Reflead, TunnelOut 


Similar to RleUftTriroughNetworkPort Combines ail interleaving 
RleReads involving a process that is participating in a TunnelOut 
event. 

If more than one file is read, the source destination will be a count 
of the files read. 


Login? 
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